Steve Ragan and J.M. Porup catch up post-DerbyCon conference to discuss psychological issues in the infosec community, supply chain security and whether it's time to make China the boogeyman again, as well as Google's recent data breach.

As I’ve written previously, I’m very skeptical of Bloomberg’s report about the Chinese placing hardware spy chips on server motherboards used by U.S. companies. China is actively spying on U.S. businesses all the time, I believe, and has already stolen most of the intellectual property secrets they are interested in. The Chinese are on their way to becoming the world’s leading economic power, and manufacturing computer chips is a big part of that equation. I don’t think they would jeopardize that business so blatantly.

If any good is to come out of the Bloomberg article, it is bringing the problem of the supply chain to the forefront. If nearly every computer device and chip is made by potential adversaries, how can you ever be assured that what you are buying doesn’t have intentional bugs or even spying chips?

If nearly every computer device and chip is made by potential adversaries, how can you ever be assured that what you are buying doesn’t have intentional bugs or even spying chips?

The supply chain is the aggregation of all entities that provide the products and services needed for other entities to provide their products and services to their customers. Theoretically, any entity can knowingly or unknowingly introduce insecurity that impacts the final product. This is the exact issue that the Bloomberg authors and their anonymous sources allude to: that a spy chip can be placed on motherboards that eventually get placed into servers used by foreign companies.

IT supply chain risk has always existed

This is not a new issue. The world’s best security analysts, intelligence agencies, and security teams have been working on this issue for well over a decade. It has become a huge concern and is possibly one of the biggest problems all nations could face. In an interconnected world, how can you trust any of the dozens to hundreds of separate components and companies involved in the supply chain?

Well, to start off, we’re already trusting it and have done so for over a half-a-century. We’ve been living with computer device supply chain risk since personal computers were invented. They contained foreign-supplied chips from the start and have ever since. So far, despite occasional media flare-ups, compromise by foreign adversaries has been sparse to non-existent, depending on which nation you’re trying to defend. It isn’t just the U.S. that has a supply chain trust issue. As I pointed out last week, the NSA and FBI are known for placing spying software and hardware into other adversaries’ supply chains.

We are handling the cost/risks trade-off fairly well. Yes, a compromise executed through the supply chain has happened a few times, but it hasn’t been widespread. Or has it? The sad fact is that, because the world has no coordinated way of checking for or detecting maliciously placed spy software or hardware, we really don’t know how bad the problem is. It’s very hard to do a cost/benefit analysis on something you can’t even put a price tag on.

Keeping the supply chain status quo is not an option

So, one solution is no solution: Keep things as-is. As far as we know, incidents of nations using supply-chain malicious inducements are rare. If a nation-state compromised the supply chain too routinely, none of the other nations would buy its chips. It would be a self-solving solution. We’ve made it so far, so good, using this “strategy.”

When do you use a detect-and-regulate supply chain strategy?

How do you measure the risk of an adversary maliciously compromising your nation’s supply chain, especially regarding military weapons, like the U.S. did with North Korea for years? If you’re unfamiliar with this story, let’s just say that North Korea’s earlier string of “bad luck” in testing ballistic missile rockets, where they either exploded upon take-off or went careening badly off course soon after take-off, was a supply chain issue, likely involving the U.S. Once the Russians stepped in to help North Korea get rid of its supply chain issues, those ballistic rockets stopped exploding and stayed on course. Who’s to say it can’t happen to the U.S. or any other nation?

Well, for one, the military already has programs to prevent supply chain issues for its most critical infrastructure. Many levels of the U.S. government have programs that look for malicious supply chain issues. That’s precisely why I don’t believe that we have a widespread issue of Chinese spying chips all over the U.S.

The question is at what level of the supply chain do we start requiring stricter oversight and monitoring? For example, we know there are tens of millions of vulnerable wifi routers and web cameras, many of which are just “consumer-focused.” How do we know a foreign adversary isn’t exploiting the router or camera (or baby monitor) at the home of engineers and executives of critical infrastructure companies, as an example? We don’t.

The question is at what level of the supply chain do we start requiring stricter oversight and monitoring?

The opposite school of thought to the “keep the status quo” argument is that we need to check all computer devices for spying hardware, software and firmware. This can be done by government or industry groups (like the Underwriter’s Laboratories [UL] or Consumer Reports). The problem is that all governments want to spy on people — its own people, and those in other countries. Asking the government to make sure everything is secure and not spying is asking for the fox to guard the henhouse. At the same time, I’m not sure we can do what needs to be done without governmental involvement.

The supply chain security solution needs to be global

To instill trust in the IT supply chain, we need to start with a global, universal declaration, which all signatory nations agree to, that says something like: “We will not hack using intentional, maliciously induced supply chain issues.” I like this declaration because it leaves governments wiggle room to take advantage of zero day exploits they discover but are not involved in causing. Heck, just getting this agreement would be a huge win for the world.

Second, we need the government to create a nationally funded regulatory group, much like the UL, but focused on testing for and ferreting out supply chain issues on computer devices. Any citizen could buy a device without the supply chain “stamp of approval,” but know they have a higher risk of a supply chain issue being involved. This would allow people and entities that want more assurance against supply chain attacks to get it, while still allowing companies that need to innovate faster than a regulatory framework allows to do so.

Every nation needs a nationally created and funded regulatory group that can look for supply chain issues but isn’t directly governed by the government. It’s not perfect. It’s like asking the foxes to pay for the shepherds who protect the henhouse, but I don’t see any other realistic way for a supply chain security solution to actually work. Or we can keep the status quo and hope for the best.